The tremendous success of personal computers ("PCs") has brought significant changes to the field of electronic data processing. Large numbers of PCs have been sold to small businesses as entry level systems to be operated as stand-alone computers. However, even greater quantities of PCs have been sold to major organizations in both the public and private sectors for use as intelligent workstations in sophisticated data processing networks. These PC networks have led to the development of electronic highways which allow data to be transported easily and quickly from one workstation to any other workstation in the network. The driving force for this rapid development of widespread PC networks has been the potential of increased business productivity.
As PC networks have increased in size, data processing managers have discovered that each PC in the network is more than merely an intelligent workstation. In a network, each PC is really a general-purpose computer having access to a vast array of stored electronic data. The problem is that each individual PC in a network has no significant data security, transaction audit, or management control features built into the workstation. As a consequence, the integration of large arrays of PCs into data communications networks is causing serious problems in the areas of network management, data integrity, data security, and financial management. These problems arise because storing information in a PC network is equivalent to storing information in an unlocked filing cabinet. An individual using a PC workstation can view all the data in the PC and much of the data in the PC network, can change or retrieve any data desired, and can make copies of any file, all without leaving evidence of what transactions were accomplished.
In response to these recognized security problems, organizations have taken two basic approaches. As a first approach, administrative strategies such as procurement policies and procedures have been used to slow the uncontrolled expansion of PC networks. This solution, however, has been unsuccessful due to the relatively low cost of PC hardware, the multiplicity of distribution channels for PCs in the marketplace, and the ease of connecting additional PCs to an existing network. As a second approach, many organizations have tried to implement technical solutions to safeguard their electronic data bases. These solutions include various software systems presently available in the marketplace, such as "Knight Data Security Manager" by AST Research, Inc. and "Watchdog" by Fischer Innis Systems Corp. However, none of these solutions has been totally acceptable because of the nature of PC operating systems, which are single-user operating systems wherein the user effectively controls all the system resources. As a result, any security measures based on typical PC operating systems can be circumvented. Security systems involving hardware as well as software are available, but the present products have fallen short of the functional requirements for stand-alone PCs, and they have not been designed to be integrated into the data processing networks found in most large organizations.
The United States Government has taken an aggressive stand on electronic data processing security as reflected in National Security Decision Directive 145. This Executive Order, signed on Sept. 17, 1984, requires all government data processing and telecommunications installations to be secure. In addition, the United States Congress passed the Computer Fraud Act of 1984 to address the problem of computer crime, and the Department of Defense ("DOD") has been actively evaluating computer products designed to meet the stringent security requirements of the government.
In the private sector, the growth of PC workstation networks has slowed down significantly. Local area networks are no longer being eagerly installed, and the connection of additional PCs to existing networks is being resisted by data processing managers who are unable to control PCs once they are connected in the network. This slowdown in the private sector is simply the result of escalating costs associated with the problems of data base security. In some cases these costs have begun to exceed the benefits attributable to the use of PC networks.
As a result of these serious problems associated with electronic data processing security, there is a tremendous need for a PC security system which provides network management control, data base integrity, and transaction audit features that allow security managers to trace individual user actions. However, any new PC security system should be designed to meet the needs of the marketplace, which include the following constraints: U.S. Government specifications, such as the Trusted Computer System Evaluation Criteria, for DOD approved secure computing equipment; private sector data processing requirements that the system provide asset management, network management, financial accountability, software compatibility, and no loss of business productivity; software vendor requirements that the system respect the integrity of the vendor's proprietary data structures, algorithms, and user interface; hardware vendor requirements that the system perform within the constraints of the hardware's input/output systems, operating systems, and interface technology; and product marketing requirements that the security system meet the needs of a broad spectrum of customers and also remain inexpensive to sell and maintain.